Data theft, data protection and the leakage of passwords or secrets are the top two cloud security concerns for 2,400 cybersecurity experts, according to the recently released CyberArk 2024 Identity Security Threat Landscape Report. In an ever-brewing digital ecosystem of multi-cloud environments, countless on-prem and SaaS applications – and third-party and fourth-party providers, 94% of organizations report having faced at least one identity-related breach in the last 12 months. Nearly all (99%) of these victimized organizations report negative impacts on business, such as the cost of recovery and financial burden from lawsuits and regulatory fines.
Post-breach scenarios are often tense and scrutinized heavily by stakeholders, including auditors, boards of directors, customers and shareholders. In such a scenario, cybersecurity teams intensify their focus on remediation and containment of the attack. In contrast, privacy teams focus on understanding and limiting the extent of regulatory non-compliance, potential fines and customer impact. The impact of a breach extends beyond the cybersecurity teams to others, including privacy teams critical to defining data privacy requirements.
Yet, often, organizations make the mistake of carving individual swim lanes for the roles and responsibilities of cybersecurity vs. privacy teams. This approach is simply bad practice – I am convinced that privacy and cybersecurity should be on the same team, working in lockstep with one another, similar to synchronized swimmers.
At its best, synchronized swimming is not just a beautiful sight but a challenging sport that takes enormous effort and commitment to get right. Drawing on the concept of synchronization, it’s essential to understand that privacy and cybersecurity are not separate swim lanes with competitive goals; they are inseparable components of a perfectly synchronized swimming act. I think cybersecurity and privacy are much like the individual athletes committed to a group sport with a singular goal – securing sensitive data and maintaining confidentiality.
Let me explain how.
The Inseparable Bond Between Privacy and Cybersecurity Teams
Privacy and cybersecurity teams need to collaborate more to ensure the highest level of protection for their organizations’ sensitive assets. For example, the Chief Privacy Officer’s (CPO’s) team should ideally define a data collection, retention, storage and usage policy. The policy should address critical questions, including what organization is collecting the data, its purpose and intended use, the data processing location, the data retention duration and, most importantly, who is authorized to access it.
Only when this is defined can the Chief Information Security Officer (CISO) and their cybersecurity team ensure data is protected throughout its lifecycle, mainly when it’s in use, in flight and at rest in the appropriate geographical location as required by regulations.
Now, consider a situation where the CPO and CISO aren’t actively collaborating. We can assume that data or access to data is secured but not per the applicable (country and industry-related) privacy laws. Such conditions can lead to heavy non-compliance fines but not a data breach. For a robust cybersecurity and privacy program, privacy teams must classify the data sensitivity level by law so cybersecurity teams can apply security controls to protect it.
The CPO and CISO must collaborate regularly to consider the impact on confidentiality, integrity and availability of data and privacy. The industry interchangeably uses the words confidentiality and privacy, but they are different. Confidentiality can be enabled through agreements between two or more parties that limit data sharing by controlling access.
Ethical considerations can also play a role in limiting data sharing and enabling confidentiality. On the other hand, privacy is the right to freedom from intrusion into personal information. Adopting disparate tools or processes in a siloed manner will only increase gaps in maintaining the confidentiality and privacy of data. A synchronized approach wherein privacy teams classify data requirements and cybersecurity experts use this framework to secure data is the only proper approach to maintaining confidentiality and data privacy.
Cybersecurity Tools and PETs: A Comprehensive Approach to Data Protection
As a technology leader, I see a combination of cybersecurity tools and privacy-enhancing technologies (PETs) in today’s market. For example, data encryption in flight or at rest, data masking or obfuscation protects sensitive information in many ways. While cybersecurity capabilities have been around for a long time and continue to evolve, PETs are relatively new and aim to protect private data in a regulated landscape. Many PETs, like data security posture management (DSPM) as a part of cloud-native applications protection platform (CNAPP), already enable streamlined data security and privacy capabilities. Other PETs, like homomorphic encryption or confidential computing, are built to address specific use cases, such as maintaining data privacy.
Homomorphic encryption and confidential computing both show promise in enhancing privacy. However, as mentioned earlier, these technologies have yet to be widely adopted. Confidential computing is not easy to adopt and is not yet a multi-purpose technology. It is limited to some use cases, mainly in cloud-based encryption for data-in-use. As a result, they are far from being adopted at scale. In this case, the only way to ensure data confidentiality and privacy is by securing every human and machine identity that accesses sensitive data across your IT environment.
Identity at the Core of Privacy
Maintaining privacy by securing access for all identities involves managing access rights effectively for every identity throughout its lifecycle. The privacy teams outline access to resources for every identity based on the roles of every business function. Whether it’s sales representatives accessing customer data, HR professionals handling sensitive employee information, or IT managers overseeing system resources, it’s essential to uphold the principle of least privilege (PoLP) to ensure that only the right people have access to specific data, reducing the risk of unauthorized data exposure. Implementing comprehensive Identity and Access Management (IAM) controls and capabilities is necessary to secure access for all identities and maintain privacy.
Here are two examples:
- An adaptive form of multi-factor authentication (MFA) can enable organizations to strengthen their security posture through additional checks to validate identities in multiple layers.
- Automated lifecycle management can help organizations easily define and enforce each user’s unique role, responsibilities and access privileges.
Privacy and Cybersecurity: A Synchronized Act
I am convinced that cybersecurity enables privacy – and not vice versa. To illustrate this theory, let’s look at the relationship between the different layers of swimmers in a synchronized swimming “lift.” The base is a swimmer underwater at the bottom of a lift. The base swimmers provide the force for pushers to stand up explosively and thrust flyers, the top layer of this aquatic human pyramid.
Our industry’s privacy teams are the equivalent of the pushers, with a core strength of data privacy regulatory requirements and a thorough understanding of the law. The base swimmers are cybersecurity teams who harness their information technology (IT) background and technical skills to implement security controls according to the regulatory requirements outlined by the privacy teams (the pushers).
Without the pushers, cybersecurity teams (the base) will secure data and access to it, but not in accordance with applicable laws. As such, cybersecurity teams enable privacy teams to fulfill their responsibilities better. With the pushers and the base strong in their positions, the flyers are athletes thrust upward – or, for the sake of this comparison, the flyers are the average business user (or identities) – who can execute their daily tasks productively and securely while maintaining confidentiality and privacy.
When privacy and cybersecurity teams collaborate and align, it feels like a perfectly executed synchronized swimming performance with the three groups of athletes – the flyers, the pushers and the base – in perfect lockstep.
The Perfectly Synchronized Act of Privacy and Cybersecurity Teams
As easy as this act looks, it’s not – unless – it’s planned strategically and collaboratively. As much as synchronized swimming is a treat to behold, it’s a demanding sport with dangerous and challenging maneuvers. For cybersecurity teams, these challenges and difficulties translate to a changing regulatory landscape, evolving threat landscape, deepening digital ecosystem of third- and fourth-party providers and an increasing number of identities that have access to growing sensitive datasets, among other concerns.
However, our act as cybersecurity leaders and technologists can be a virtual treat in collaboration with the privacy teams and with a regularly evaluated risk framework.
All this talk about synchronized swimming has gotten me thinking of the Summer Games set to take place in France this year. I look forward to watching the swimming heats and synchronized swimming competitions this summer. While doing so, I’ll brainstorm how to actively and effectively coordinate with privacy teams to protect sensitive data for CyberArk and our customers. I kid you not.
I hope you’re inspired to do the same.
Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.
